https://www.ory.sh/ logo
Join Slack
Powered by
I have a question about the Actions for the Recove...
# ory-network
l
I have a question about the Actions for the Recovery flow. The Recovery flow has two submits: (1) submit email; (2) submit recovery code. When do the before and after actions occur? Thanks.
s
I would assume after the whole flow is done, as that's what we basically have everywhere
l
So I’ve set up a flow-interrupting webhook for after recovery. When my endpoint responds with 403, the redirect after the form submit is to a new recovery flow, and this flow contains my custom error msg. But the user is still granted an Ory session. So the flow isn’t being blocked.
s
so the recovery flow gives you a session, but also an error?
l
Yes. The original flow seems to be successful. Then it starts a new flow with the error
original flow:
s
how did you set-up the webhook? what is the config?
l
Through the new Actions UI. But the config looks correct to me:
Copy code
"recovery": {
  "after": {
    "hooks": [
      {
        "config": {
          "auth": {
            "config": {
              "in": "header",
              "name": "Authorization",
              "value": "Bearer REDACTED"
            },
            "type": "api_key"
          },
          "body": "<https://storage.googleapis.com/bac-gcs-production/51c1912d59454d98f7d0ea2365809b52ef7d6f09f6f97ccf9363da95b7aa4a8ce396b349572762843dd43f325aa4ccb4e3e7ad3fa2ebc7ddf248cad84518b460.jsonnet>",
          "can_interrupt": false,
          "method": "POST",
          "response": {
            "ignore": false,
            "parse": true
          },
          "url": "<https://REDACTED/v1.0/webhooks/ory/recovery/after>"
        },
        "hook": "web_hook"
      }
    ]
  },
  "before": {
    "hooks": []
  },
  "enabled": true,
  "lifespan": "30m0s",
  "notify_unknown_recipients": true,
  "ui_url": "/ui/recovery",
  "use": "code"
},
s
yes looks correct from a first look, maybe there is a bug...
I'll continue investigation tomorrow
🙏 1
After comparing recovery and registration, it seems that the recovery hook does not allow interrupting the flow in the same way as registration does:
When using an 
after
registration hook, you can define the specific point in the flow where this webhook is called:
• When the webhook parses the response, the logic is called before the system creates a new identity.
• When the webhook does not parse the response, the logic is called after the system creates a new identity.
I'll open an issue for that case, but currently it is not really possible to achieve what you are trying.
l
Thanks for looking into it. I should have searched github first. This is a blocker for us. The Recovery flow allows you to bypass signing in, and some of our users are only allowed to sign in using OIDC. So we must prevent them from using recovery. Should I create an issue in ory/network too? Those issues seem to get a bit more attention. I may look at submitting a PR with the fix. Can you please point me to the file where the recovery hooks are implemented?
s
You find all relevant code under 
selfservice/flows/recovery
It should be a fairly manageable change, you can compare the code to registration as it works there
I can prio the review 👍
l
Thanks. I’ll take a look.
I think it should behave more like the post-login hook than the post-registration hooks. Though it is not clear to me how, if 
PostLoginHook
fails, the session (
sess
) gets destroyed/cancelled: https://github.com/ory/kratos/blob/master/selfservice/flow/login/handler.go#L781 Seems we would need to do the same thing here, https://github.com/ory/kratos/blob/master/selfservice/strategy/code/strategy_recovery.go#L396, instead of retrying the recovery flow.
s
hm but are you sure it works for login?
l
Yes, it works for login
Looks like the login flow calls 
NewInactiveSession
vs 
NewActiveSession
for recovery.
s
I think we can just follow the same pattern on recovery
l
s
I think you still have to split the hooks, so run some before that, and some after
but maybe it is also overkill
just that login and registration split the hooks 🤔
l
registration has 
PostRegistrationPrePersistHook
and 
PostRegistrationPostPersistHook
. But login only has one post hook.
s
so if it is 
parse: true
it automatically interrupts on errors? otherwise it runs async and cannot interrupt?
should work I guess...
I'd recommend to move the hook, see if all tests still pass, and then add a new one for your case
ah in the registration case a hook might want to update the identity before it is created, while on login/recovery you just get a session
l
exactly
s
so should be fine to just move
👍 1
l
Now I just need to get the Kratos dev env running
s
go test -tags sqlite,json1 -short -failfast ./...
should be enough
🙏 1
l
Is it possible to have someone review this PR: https://github.com/ory/kratos/pull/3393
s
sure, sorry, lost track of it
l
thanks
11 Views
Open in Slack
PreviousNext
Powered by